Australian Privacy Principles (APPs)

Australian Business & Compliance

Also: APPs · Australian Privacy Principles

What they areThe operating rules of the Privacy Act

CoverCollection, use, storage and access

Through-lineCollect less, disclose plainly

Marketing oneDirect marketing has its own principle

Quick definition

The Australian Privacy Principles, or APPs, are the set of rules that put the Privacy Act 1988 into practice. They govern how organisations collect, use, store, secure and disclose personal information, and the rights people have to access and correct it. One principle deals specifically with direct marketing, which makes them directly relevant to marketers.

How it varies across Australia

Most Australian marketing teams could not say which of their data practices each principle covers, which is exactly why disclosure drifts behind the tooling. The teams that map their stack to the principles once tend to stay clean, because every new tool gets checked against a known framework rather than waved through.

See how data and tracking maturity varies across Australian industries →

The principles, grouped

Open management

Be transparent about how you handle personal information. This is what your privacy policy exists to do.

Collection

Only collect personal information you genuinely need, and tell people what you are collecting and why at the point you do it.

Use and disclosure

Use information only for the purpose you collected it for. The direct marketing principle lives here, with its reasonable-expectation and opt-out standard.

Integrity and security

Keep information accurate and protect it from misuse, loss and unauthorised access. This connects to the Notifiable Data Breaches scheme.

Access and correction

Give people the right to see the personal information you hold about them and to ask for it to be corrected.

What it actually means

The Australian Privacy Principles are the working rules underneath the Privacy Act 1988. The Act sets the law, the principles tell you how to follow it. There are thirteen, and they walk through the whole life of personal information.

They start with being open about how you handle data, which is what your privacy policy is for. They cover collection, only gathering what you need and saying why. They cover use and disclosure, limiting use to the purpose you collected for. They cover keeping information accurate and secure, and the rights people have to access their data and correct it.

One principle deals specifically with direct marketing. The default position is that you should not use personal information for marketing unless the person would reasonably expect it or has consented, and you must always offer a simple way to opt out.

For marketers the principles are best read as a checklist for the data stack. Every tool that collects, stores or activates personal information touches one or more of them. The common failure is not a dramatic breach, it is the slow drift where new tools get added and the disclosure and consent never catch up.

The principles are not a legal abstraction. They are a checklist your marketing stack either passes or quietly fails.

How it shows up

The principles show up as a gap analysis. Map each tool in the marketing stack to the principle that governs it, then check the privacy policy and consent flow actually reflect it. Gaps appear as data being collected or activated in ways the policy never described, which is the most common privacy failure in marketing.

The Australian context

The Australian Privacy Principles are specific to the Australian Privacy Act and differ from the European General Data Protection Regulation in structure and in some thresholds, so the two are worth comparing directly rather than treating as interchangeable. The reform program underway is strengthening several principles, including around consent and direct marketing, so the direction of travel is toward more disclosure and tighter consent.

Where people get this wrong

Treating the principles as a one-time legal review.They govern an ongoing system. Every new tool added to the stack needs checking against them, or disclosure drifts behind what you actually collect.

Using personal data for marketing the person would not expect.The direct marketing principle sets a reasonable-expectation and consent standard. Activating data for a purpose the person never anticipated breaches it, even if you collected the data legitimately.

Assuming a GDPR setup automatically satisfies the principles.The frameworks overlap but differ. A GDPR-compliant stack is a strong start, but the Australian principles have their own structure and thresholds that need a separate check.

Common questions

What are the Australian Privacy Principles?

The thirteen rules that put the Privacy Act 1988 into practice. They govern how organisations collect, use, store, secure and disclose personal information, and the rights people have to access and correct it. One principle deals specifically with direct marketing.

Which principle applies to marketing?

The direct marketing principle. The default is that you should not use personal information for marketing unless the person would reasonably expect it or has consented, and you must always provide a simple way to opt out.

How are the principles different from the Privacy Act?

The Privacy Act is the law and the principles are how you follow it. The Act sets the obligations at a high level, and the thirteen principles spell out the practical rules for handling personal information across its whole life.

Do the principles match the European GDPR?

They overlap but differ in structure and some thresholds. A GDPR-compliant setup is a strong starting point but does not automatically satisfy the Australian principles, which need their own check.

Keep exploring

About New Rebellion

New Rebellion is a marketing intelligence consultancy. We build tools, score Australian businesses on how their marketing actually performs, and publish Debrief every day. This dictionary is part of how we work in the open.

How we think →